OSV – Open Source Vulnerabilities
OSV is a vulnerability database and triage infrastructure for open source projects aimed at helping both open source maintainers and consumers of open source.
For open source maintainers, OSV’s automation helps reduce the burden of triage. Each vulnerability undergoes automated bisection and impacts analysis to determine precise affected commit and version ranges.
For open-source consumers, OSV provides an API that lets users of these projects query whether or not their versions are impacted.
Architecture
OSV runs on Google Cloud Platform, with the following main components:
Cloud Datastore
All vulnerability data is stored in Cloud Datastore, with the models defined here.
OSS-Fuzz
All of our data is currently sourced from OSS-Fuzz, and we are working to extend this with other sources.
Google Kubernetes Engine (GKE)
GKE is used for running workers to perform bisects and impact analysis. These workers consume tasks from a Cloud Pub/Sub topic.
Workers are Docker containers which use gVisor for sandboxing untrusted workloads.
Cloud Run / Cloud Endpoints
The API server runs on Cloud Run, and is served by Cloud Endpoints.
App Engine
The main web UI (https://osv.dev) runs on App Engine. App Engine cron jobs also schedule recurring tasks for the workers, allocate OSV IDs, and make vulnerabilities public at the appropriate times.
Download & Use
Copyright (C) 2021 Google
